[strongSwan] (Vici) How to disconnect a VPN connection on the server side?
tobias at strongswan.org
Mon Sep 9 14:38:01 CEST 2019
> Is there is a way to disconnect a specific strongswan user from the
> command line?
Not directly (at least not via vici, it might be possible via RADIUS,
depending on the RADIUS server).
> I have found the Vici plugin, but there is no documentation whatsoever.
What do you mean?  provides an overview and has a link to the
README.md file that describes the available commands and even contains
simple code examples. The Python bindings are basically a wrapper that
provides a convenient interface for these commands.
> import vici
> s = vici.Session()
> <generator object Session.streamed_request at 0x7ff658411ed0>
That returns the configured connections, so that's not really useful to
you. More interesting will be the list of established IKE_SAs (s.list_sas).
> Looking at the code there is a "filters" as an argument to pass in:
That argument can be used to pass information to the command (check the
README for what the options are). For example, with list-sas you can
filter based on the name or unique ID of an SA and/or pass a flag that
determines if the command operates in non-blocking mode (blocked SAs are
skipped). There is no option to filter by remote/user ID, so you have
to enumerate the established SAs (list-sa documents the returned
information) and check remote-(eap-)id yourself.
> But I'm stuck as I don't know how to set that. There must be some kind
> of documentation for this right?
As I said, the README file documents the commands and arguments.
> I suppose once I have the actual SA, I could pass it to terminate().
Get the unique ID of the SA and then terminate it using that.
More information about the Users